Containerization and Isolation
Containerization and isolation are not new concepts. Some Unix-like operating systems have leveraged mature containerization technologies for over a decade.
In Linux, LXC, the building block that formed the foundation for later containerization technologies was added to the kernel in 2008. LXC combined the use of kernel cgroups (allows for isolating and tracking resource utilization) and namespaces (allows groups to be separated so they cannot “see” each other) to implement lightweight process isolation.
2013, Docker was introduced as a way of simplifying the tooling required to create and manage containers. It initially used LXC as its default execution driver (it has since developed a library called libcontainer for this purpose). Docker made them accessible to the average developer and system administrator by simplifying the process and standardizing on an interface. It spurred a renewed interest in containerization in the Linux world among developers.
Here is a brief timeline of key moments in container history
1979: Unix V7
The concept of containers was started way back in 1979 with UNIX chroot. It’s an UNIX operating-system system call for changing the root directory of a process and it’s children to a new location in the filesystem which is only visible to a given process.
The idea of this feature is to provide an isolated disk space for each process. Later in 1982 this was added to BSD.
2000: FreeBSD Jails
The need for FreeBSD jails came from a small shared-environment hosting
provider (R&D Associates, Inc.’s owner, Derrick T. Woolworth) desire to establish a clean, clear-cut separation between their own services and those of their customers, mainly for security and ease of administration.
Instead of adding a new layer of fine-grained configuration options, the solution adopted by Poul-Henning Kamp was to compartmentalize the system — both its files and its resources — in such a way that only the right people are given access to the right compartments – called “jails” – with the ability to assign an IP address for each system and configuration.
Virtuozzo developed the first commercially available container technology in
2001, which today is used by over 700 service providers, ISVs and enterprises to enable over 5 million virtual environments running mission-critical cloud workloads. Today, Virtuozzo continues to innovate in areas ranging from industry-leading virtualized object storage to cloud-optimized Linux distributions to groundbreaking container migration technologies.
A significant force in the open source community, Virtuozzo sponsors and/or is a contributor to numerous open source projects including OpenVZ, CRIU, KVM, Docker, OpenStack, and the Linux kernel.
2001: Linux VServer
Introduced in 2001, Linux VServer is a another jail mechanism that can be used to securely partition resources on a computer system (file system, CPU time, network addresses and memory). Each partition is called a security context, and the virtualized system within it is called a virtual private server.
Experimental patches continue to be available, but the last stable patch was released in 2006.
2004: Oracle Solaris Containers
2004 Oracle released Solaris Containers for x86 and SPARC systems, that combines system resource controls and boundary separation provided by zones, which were able to leverage features like snapshots and cloning from ZFS.
A Solaris Container is a combination of system resource controls and the boundary separation provided by zones. Zones act as completely isolated virtual servers within a single operating system instance.
2005: Open VZ (Open Virtuzzo)
Released by Parallels (formerly SWsoft), Open VZ offered an operating system-level virtualization technology for Linux which uses a patched Linux kernel for virtualization, isolation, resource management and checkpointing. Each OpenVZ container would have an isolated file system, users and user groups, a process tree, network, devices, and IPC objects.
Process Containers, developed by Google primarily — Paul B. Menage and
Rohit Seth — in 2006 for limiting, accounting, and isolating resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes. Later on it was renamed to Control Groups to avoid the confusion multiple meanings of the term “container” in the Linux kernel context and merged to the Linux kernel 2.6.24.
It shows how early Google was involved in container technology.
2007: Control Groups merged into Linux kernel
Process Containers were renamed Control Groups (cgroups) and added to
the Linux Kernel in 2007. Redesign of cgroups started in 2013, with additional changes brought by versions 3.15 and 3.16 of the Linux kernel.
LXC stands for LinuX Containers and it is the first, most complete implementation of Linux container manager. It was implemented using cgroups and Linux namespaces. LXC was delivered in liblxc library and provided language bindings for the API in Python3, Python2, Lua, Go, Ruby, and Haskell.
CloudFoundry started Warden in 2011, using LXC in the early stages and later replacing it with its own implementation. Warden can isolate environments on any operating system, running as a daemon and providing an API for container management.
Cloud Foundry developed a client-server model to manage a collection of containers across multiple hosts, and Warden includes a service to manage cgroups, namespaces and the process life cycle.
LMCTFY stands for “Let Me Contain That For You”. It is the open source version of Google’s container stack, which provides Linux application containers. Applications can be made “container aware,” creating and managing their own subcontainers. Active deployment stopped in 2015 after Google started contributing core LMCTFY concepts to libcontainer.
The libcontainer project was initially started by Docker and now it has been moved to Open Container Foundation.
Docker is one of the most successful open source projects in recent history,
it’s fundamentally shifting the way people think about building, shipping and running applications, smoothing the way for microservices, open source collaboration, and DevOps. Docker is changing both the application development lifecycle and cloud engineering practices.
Docker uses the resource isolation features of the Linux kernel such as cgroups and kernel namespaces, and a union-capable file system such as aufs and others to allow independent “containers” to run within a single Linux instance, avoiding the overhead of starting and maintaining virtual machines.
Every day, lot’s of developers are happily testing or building new Docker-based apps with Plesk Onyx – understanding where the Docker fire is spreading is the key to staying competitive in an ever-changing world. Want an overview of how Docker can fit into your stack? Check out 6 essential facts here.
Rocket started by CoreOS released reference implementation of an open specification, standardizing the packaging of images and runtime environments for Linux containers.
2016: Windows Containers
Microsoft also took an initiative to add container support to the Microsoft Windows Server operating system in 2015 for Windows based applications, called Windows Containers. Recently, Microsoft announced the general availability of Windows Server 2016, and with it, Docker engine running containers natively on Windows.
With this implementation Docker is able to run Docker containers on Windows natively without having to run a virtual machine to run Docker (earlier Docker ran on Windows using a Linux VM). This blog post by Michael Friis describes how to get setup to run Docker Windows Containers on Windows 10 or using a Windows Server 2016 VM.
Enjoy our free Infographic “Moments in Container History”. Download it, print it out and hang it at your desk.
Be well, do good, and stay Plesky!